Threat Profile: Qilin (Agenda) Ransomware Group

Note

Executive Summary: Operating since mid-2022, Qilin (formerly known as Agenda) has rapidly evolved into one of the most prolific Ransomware-as-a-Service (RaaS) syndicates. Likely of Russian origin, the group leverages a double and triple extortion model. Qilin distinguishes itself through highly customizable malware payloads written in Go and Rust, dedicated VMware ESXi encryptors, and advanced Defense Evasion tactics, most notably the Bring Your Own Vulnerable Driver (BYOVD) technique to blind Endpoint Detection and Response (EDR) solutions.

Executive Summary

Qilin operators focus on high-impact sectors, prominently targeting critical infrastructure, healthcare, education, and manufacturing globally (while strictly excluding CIS countries). By mid-2025, Qilin dominated the ransomware landscape due to their aggressive multi-extortion tactics (encryption, data leak threats, and DDoS attacks) and the technical superiority of their payload generation platform, which allows affiliates to tailor the ransomware execution flow to specific victim environments.

Technical Analysis & Arsenal

The Transition to Rust

Originally written in Go (Golang), the Qilin operators have strategically migrated their core ransomware payload to Rust. This transition offers two critical advantages:

1. Performance: Rust allows for highly concurrent, memory-safe execution, drastically reducing the time-to-encryption across large enterprise networks.
2. Evasion: Rust-compiled binaries are notoriously difficult for traditional static analysis tools and legacy antivirus engines to reverse-engineer and signature, effectively lowering the initial detection rate.

VMware ESXi Specialization

Recognizing the centralization of enterprise data, Qilin provides its affiliates with a specialized Linux variant designed explicitly to compromise VMware ESXi hypervisors. This allows operators to paralyze dozens of virtual machines with a single execution, severely impacting disaster recovery procedures.

Exploitation Flow & TTPs

DFIR analysts tracking Qilin intrusions observe a systematic execution chain heavily reliant on exploiting exposed perimeter services and utilizing “Living off the Land” techniques.

1. Initial Access: Affiliates primarily gain entry via targeted spear-phishing campaigns or by exploiting vulnerable, internet-exposed services. Unpatched Citrix gateways and poorly secured Remote Desktop Protocol (RDP) endpoints are the most frequently observed vectors.
2. Credential Harvesting: Once an initial foothold is established, operators dump memory from the LSASS process using tools like Mimikatz to extract clear-text credentials and Kerberos tickets.
3. Lateral Movement: The group heavily utilizes standard administrative tools such as PsExec and SecureShell (SSH) to propagate across the network without dropping custom backdoors.
4. Defense Evasion (BYOVD): This is Qilin’s signature move. Prior to deploying the encryptor, the group executes a Bring Your Own Vulnerable Driver (BYOVD) attack. They drop a legitimately signed but vulnerable driver (e.g., ProcPrv.sys from the Process Prowler tool) to gain kernel-level privileges. From the kernel, they terminate EDR and AV processes, rendering the system blind.
5. Execution & Impact: The highly customized payload is deployed, terminating specific services (databases, backup agents), excluding defined critical system paths, and appending a custom extension to encrypted files.

Forensic Investigation (Traces & Logs)

Due to Qilin’s heavy reliance on legitimate tools and advanced evasion, signature-based detection is often ineffective. Incident Responders must refer to the Ransomware Investigation Playbook and focus on behavioral telemetry.

Key Forensic Artifacts

Log Source / Artifact	Indicator of Compromise (IOC) & Hunting Focus
System Event Logs	Event ID 7045 (Service Creation): Look for the installation of suspicious or vulnerable kernel drivers (e.g., ProcPrv.sys). This is a high-fidelity indicator of a BYOVD attack.
Authentication Logs	Anomalous authentications on Citrix gateways or VPN appliances, especially followed by RDP connections (Logon Type 10) originating from compromised jump servers.
Execution Artifacts	ParseAmcache and Prefetch (.pf) files for traces of enc.exe, decryptor_[...].exe, or unexpected execution of PsExec.exe.
Known Hashes (SHA256)	93c16c11ffca4ede29338eac53ca9f7c4fbcf68b8ea85ea5ae91a9e00dc77f01 54ff98956c3a0a3bc03a5f43d2c801ebcc1255bed644c78bad55d7f7beebd294

Detection & Mitigation Strategy

Detection (Sigma/Sysmon)

Detecting the BYOVD technique requires kernel-level visibility. DFIR teams should leverage Sysmon Event ID 6 (Driver Loaded) to monitor for the loading of vulnerable drivers associated with Qilin.

sigma_qilin_byovd.yml

title: Detection of Vulnerable Driver Load (Qilin BYOVD)
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 6
        ImageLoaded|endswith: '\ProcPrv.sys'
    condition: selection
level: high

Mitigation

Perimeter Hardening: Enforce strict Multi-Factor Authentication (MFA) on all Citrix, VPN, and RDP access points. Block Vulnerable Drivers: Implement Microsoft’s Vulnerable Driver Blocklist via Windows Defender Application Control (WDAC) to mitigate the BYOVD vector natively.

Sources & References

• HHS Cybersecurity Program : Threat Profile - Qilin, aka Agenda Ransomware
• Qualys Threat Research (2025) : Qilin Ransomware Explained: Threats, Risks, Defenses
• Check Point Cyber Hub : Qilin Ransomware
• SANS Institute : The Evolution of Qilin RaaS
• Cybersecurity News (2025) : Qilin Ransomware Leads the Attack Landscape